From owner-freebsd-pf@FreeBSD.ORG Mon Jul 24 09:29:46 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A378F16A4DF; Mon, 24 Jul 2006 09:29:46 +0000 (UTC) (envelope-from harald@clef.at) Received: from stud3.tuwien.ac.at (stud3.tuwien.ac.at [193.170.75.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id B0C9643D46; Mon, 24 Jul 2006 09:29:45 +0000 (GMT) (envelope-from harald@clef.at) Received: from bluedaemon.clef.test (v209-200.vps.tuwien.ac.at [128.131.209.200]) by stud3.tuwien.ac.at (8.9.3 (PHNE_29774)/8.9.3) with ESMTP id LAA05207; Mon, 24 Jul 2006 11:29:43 +0200 (METDST) To: "Simon L. Nielsen" References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <20060717122127.GC1087@zaphod.nitro.dk> From: Harald Muehlboeck Date: Mon, 24 Jul 2006 11:32:36 +0200 Message-ID: <86wta3e4az.fsf@tuha.clef.at> User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Jul 2006 09:29:46 -0000 Simon L. Nielsen writes: > On 2006.07.16 20:23:15 +0200, Daniel Hartmeier wrote: > >> The "hole" being discussed is the time, during boot, before pf is fully >> functional with the production ruleset. For a comparatively long time, >> the pf module isn't even loaded yet. >> >> So, you first need to check the boot sequence for >> >> - interfaces being brought up before pf is loaded >> - addresses assigned to those interfaces >> - daemons starting and listening on those addresses >> - route table getting set up >> - IP forwarding getting enabled >> - etc. > > Since nobody else seems to have actually done this, I took a look at > FreeBSD's rcorder (on my -CURRENT laptop) and actually I don't really > see a hole. Most importantly pf is enabled before routing. > # rcorder -s nostart /etc/rc.d/* [...] > /etc/rc.d/ipfilter > [...] > /etc/rc.d/sysctl [...] > /etc/rc.d/pf > /etc/rc.d/routing > [...] But net.inet.ip.forwarding=1 can also be set in sysctl.conf(5), as well as many other options like bridging, ... (I don't know if it is usual to do so) From owner-freebsd-pf@FreeBSD.ORG Mon Jul 24 11:03:26 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D55C316A50E for ; Mon, 24 Jul 2006 11:03:26 +0000 (UTC) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id BADB943D7D for ; Mon, 24 Jul 2006 11:02:55 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k6OB2smQ013719 for ; Mon, 24 Jul 2006 11:02:54 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k6OB2pHA013715 for freebsd-pf@freebsd.org; Mon, 24 Jul 2006 11:02:51 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 24 Jul 2006 11:02:51 GMT Message-Id: <200607241102.k6OB2pHA013715@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Jul 2006 11:03:26 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency f [2005/09/13] kern/86072 pf [pf] Packet Filter rule not working prope o [2006/02/07] kern/92949 pf [pf] PF + ALTQ problems with latency o [2006/02/18] sparc64/93530pf Incorrect checksums when using pf's route 4 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [pf] [patch] /etc/pf.os doesn't match Fre o [2006/02/25] kern/93825 pf [pf] pf reply-to doesn't work o [2006/03/27] kern/94992 pf [pf] [patch] pfctl complains about ALTQ m o [2006/04/21] bin/96150 pf pfctl(8) -k non-functional 4 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Jul 25 15:31:42 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8246916A4DD for ; Tue, 25 Jul 2006 15:31:42 +0000 (UTC) (envelope-from max@neuropunks.org) Received: from neuropunks.org (neuropunks.org [69.31.43.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3B44343D46 for ; Tue, 25 Jul 2006 15:31:41 +0000 (GMT) (envelope-from max@neuropunks.org) Received: from localhost (localhost [127.0.0.1]) by finn.neuropunks.org (Postfix) with ESMTP id 20870CC for ; Tue, 25 Jul 2006 10:31:27 -0500 (EST) Received: from neuropunks.org ([127.0.0.1]) by localhost (finn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 98960-07 for ; Tue, 25 Jul 2006 10:31:23 -0500 (EST) Received: from [192.168.0.4] (styx.neuropunks.org [216.254.70.208]) by finn.neuropunks.org (Postfix) with ESMTP id 6715680 for ; Tue, 25 Jul 2006 10:31:23 -0500 (EST) Message-ID: <44C63768.8090103@neuropunks.org> Date: Tue, 25 Jul 2006 11:23:20 -0400 From: Max Gribov User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: rdr to internal servers doesnt work with load balancing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jul 2006 15:31:42 -0000 Hello all, is it possible to load balance two lines, but have 1 specific port redirected into internal network from only one of those lines? Especially when that line's next hop upstream is not the default gw for the machine? I know i can do this on the line which is also used as default gw, but doesnt seem like i can the other way around. I spent several hours using different no nat, route-to, reply-to combinations, but it just doesnt work. I appreciate any feedback on this... Max From owner-freebsd-pf@FreeBSD.ORG Wed Jul 26 04:09:41 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BE20716A4DD for ; Wed, 26 Jul 2006 04:09:41 +0000 (UTC) (envelope-from samba@embeddedinfotech.com) Received: from relay02.pair.com (relay02.pair.com [209.68.5.16]) by mx1.FreeBSD.org (Postfix) with SMTP id 3EC0F43D4C for ; Wed, 26 Jul 2006 04:09:41 +0000 (GMT) (envelope-from samba@embeddedinfotech.com) Received: (qmail 19846 invoked by uid 0); 26 Jul 2006 04:09:39 -0000 Received: from unknown (HELO ?192.168.1.73?) (unknown) by unknown with SMTP; 26 Jul 2006 04:09:39 -0000 X-pair-Authenticated: 202.153.42.171 Message-ID: <44C6EB01.2050303@embeddedinfotech.com> Date: Wed, 26 Jul 2006 09:39:37 +0530 From: samba User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Porting proxies/ALGs into to the kernel X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2006 04:09:41 -0000 Hi all, I am planning to use Packet Filter as a firewall/NAT for my VPN box which runs VxWorks. It has 32 MB of RAM. I need to support some of the popular services for machines behind the NAT like FTP, H.323, Real Audio, NetBIOS, DNS, RTSP, SIP. The standard OpenBSD way of doing things afaik is to redirect the traffic to the user space and let the proxy daemons deal with it. My questions are: a) Would it not be a big overhead to move packets to and fro the user space and kernel space. Also considering my case where the box is memory constraint, so i would want to keep the number of user spaces process/tasks to a minimum. b) Would it be a good idea to port the ALGs into the kernel, the way IPFILTER or Netfilter does it. c) Would it be feasible to re-model PF such that rule matches (eg: IP address match, interface match) and targets (filter, redirect, DNAT, SNAT) can be registered. so that additional matches and targets can be added without much change in the core firewall code. Please let me know your opinion regarding this. thanks & regards samba From owner-freebsd-pf@FreeBSD.ORG Wed Jul 26 06:57:04 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 05D5616A4DD for ; Wed, 26 Jul 2006 06:57:04 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id 92E2943D46 for ; Wed, 26 Jul 2006 06:57:03 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by py-out-1112.google.com with SMTP id b36so2666297pyb for ; Tue, 25 Jul 2006 23:57:02 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=sAvJ9XN2/TJk/KMc4beUiRkefvntvvwarDQ8reoa2HcArrrJoj/pZgC64uqD7t8ZL+3+0ilyirIApa0DIr2fvlMwZgwS4kCvAZ8E201Aqz4MCPZsqOU/fkyvSHFnFv4fKQ6nyDNR/Rc0bbKSi/2Eh0UmyvMigl4cJMqFboABQNY= Received: by 10.35.121.9 with SMTP id y9mr10783134pym; Tue, 25 Jul 2006 23:57:02 -0700 (PDT) Received: by 10.35.34.13 with HTTP; Tue, 25 Jul 2006 23:57:02 -0700 (PDT) Message-ID: Date: Wed, 26 Jul 2006 01:57:02 -0500 From: "Travis H." To: samba In-Reply-To: <44C6EB01.2050303@embeddedinfotech.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44C6EB01.2050303@embeddedinfotech.com> Cc: freebsd-pf@freebsd.org Subject: Re: Porting proxies/ALGs into to the kernel X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2006 06:57:04 -0000 On 7/25/06, samba wrote: > a) Would it not be a big overhead to move packets to and fro the user > space and kernel space. Also considering my case where the box is memory > constraint, so i would want to keep the number of user spaces > process/tasks to a minimum. Yes, crossing the kernel/user boundary is expensive, and that's why things like BPF exist, to do the filtering in kernel space and only passing matches to userspace (libpcap). > b) Would it be a good idea to port the ALGs into the kernel, the way > IPFILTER or Netfilter does it. Depends on what you mean by "good". Certainly it would be more efficient, but you pay a price in stability -- an error in the code stands a good chance of crashing the machine. I suspect you'll also find memory management in kernel space a bit trickier than userland. Your questions hint at a fairly ambitious project, are you an experienced kernel coder? If not, it may be too ambitious. If I were you, I'd do the development under VMWare or something like that, because you'll be crashing a lot, and it's somewhat difficult to diagnose kernel errors if you're not in a virtual machine, not to mention the annoying bit about waiting for it to reboot each time you discover a new error. I don't have any hard numbers on it, but 32MB is pretty small. You'll probably be doing a lot of work just to keep the memory footprint small enough. If you decide to go this route, I humbly suggest you write the ALGs as userland processes first, and then see if you can shrink them down and move them into kernel space. You may find that there's just no way to cram them into 32MB, and save yourself a lot of work by reaching that conclusion earlier. -- "if you're not part of the solution, you're part of the precipitate" Unix "guru" for rent or hire || http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 From owner-freebsd-pf@FreeBSD.ORG Wed Jul 26 07:45:24 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 642F916A4DA for ; Wed, 26 Jul 2006 07:45:24 +0000 (UTC) (envelope-from jeff@sailorfej.net) Received: from mail.sailorfej.net (mail.sailorfej.net [66.93.72.123]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1837F43D46 for ; Wed, 26 Jul 2006 07:45:24 +0000 (GMT) (envelope-from jeff@sailorfej.net) Received: from [192.168.150.100] (c-24-20-239-104.hsd1.wa.comcast.net [24.20.239.104]) (authenticated bits=0) by mail.sailorfej.net (8.13.4/8.13.4) with ESMTP id k6Q7gox5039413 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 26 Jul 2006 00:42:51 -0700 (PDT) (envelope-from jeff@sailorfej.net) Message-ID: <44C71D8F.9090007@sailorfej.net> Date: Wed, 26 Jul 2006 00:45:19 -0700 From: Jeffrey Williams User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-0.6 required=6.0 tests=BAYES_00,RCVD_IN_SORBS_DUL autolearn=no version=3.1.1 X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on mail.sailorfej.net Subject: nat/outbound traffic not passing in pf on FreeBSD 6.1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2006 07:45:24 -0000 This is the first time I have tried to use pf on FreeBSD, I usually use ipfw, however I have been using pf on OpenBSD, and wanted change over on my FreeBSD boxes. I am having problems with a very basic rule set for a nat-ed small network. Currently no traffic is being passed between the internal and public networks. I am using the same rule set (see below) on a pf firewall running on a OpenBSD 3.8 box, with the exception of the to last rule (pass out....) I had to add to the freebsd boxes I am working on to be able to initiate outbound connections during configuration. This alone confuses me, I was under the impression that pf was default pass unless blocked, hence the starting of filter blocks of rules with "block in all" and/or "block out all" I did try adding a "pass out all" rule, but it had no effect. The freebsd box is a running 6.1p3 on a Dell PowerEdge 1850 single dual-core proc, with SMP kernel, if pertinent, IPSEC options are also in the kernel including filtergif, this box will eventually become the perimeter firewall between our public ip space and the ISP (with queuing/traffic shaping requirements), while an identical box will replace it as firewall between our public and private ip spaces and provide ipsec vpn tunnels as well. shown below in order are the rc.conf entries, the compiled kernel options, the pf.conf, and the pfctl -sa output. I would appreciate any assistance, I really don't want to have to go back to ipfw. kern options: device pf device pflog device pfsync options ALTQ options ALTQ_CBQ options ALTQ_RED options ALTQ_RIO options ALTQ_HFSC options ALTQ_PRIQ options ALTQ_NOPCC rc.conf entries: defaultrouter="o.o.33.41" hostname="me.domain.com" sshd_enable="YES" ifconfig_em0="inet o.o.33.46 netmask 255.255.255.248" ifconfig_em1="inet i.i.10.1 netmask 255.255.255.0" gateway_enable="YES" pf_enable="YES" pf_rules="/etc/pf.conf" pf_flags="" pflog_enable="YES" pflog_logfile="/var/log/pflog" pflog_flags="" pf.conf entries: oif="em0" onwr="o.o.33.40/29" oip="o.o.33.46" iif="em1" inwr="i.i.10.0/24" iip="i.i.10.1" is1="i.i.10.15" scrub in all nat on $oif from $inwr to any -> $oif rdr on $oif proto tcp from any to $oip port 1000 -> $is1 port 22 block in log all pass in on $oif proto tcp from any to $is1 port 22 keep state pass in on $oif proto tcp from any to $oip port 22 keep state pass in on $iif inet from $inwr to any keep state pass out on $oif inet from $oip to any keep state (additional rule referred to above that needed to be added to enable outbound connections, should not be needed?) antispoof for $oif antispoof for $iif pfctl -sa output: TRANSLATION RULES: nat on em0 inet from i.i.10.0/24 to any -> o.o.33.46 rdr on em0 inet proto tcp from any to o.o.33.46 port = cadlock2 -> i.i.10.15 port 22 FILTER RULES: scrub in all fragment reassemble block drop in log all pass in on em0 inet proto tcp from any to i.i.10.15 port = ssh keep state pass in on em0 inet proto tcp from any to o.o.33.46 port = ssh keep state pass in on em1 inet from i.i.10.0/24 to any keep state pass out on em0 inet from o.o.33.46 to any keep state block drop in on ! em0 inet from o.o.33.i/29 to any block drop in on em0 inet6 from fe80::213:72ff:fe5f:6e6b to any block drop in inet from o.o.33.46 to any block drop in on ! em1 inet from i.i.10.0/24 to any block drop in on em1 inet6 from fe80::213:72ff:fe5f:6e6c to any block drop in inet from i.i.10.1 to any No queue in use STATES: self tcp i.i.10.1:56727 <- i.i.10.15:22 FIN_WAIT_2:FIN_WAIT_2 self tcp o.o.33.46:22 <- x.x.239.104:62760 ESTABLISHED:ESTABLISHED self pfsync o.o.33.46 -> 0.0.0.0 SINGLE:NO_TRAFFIC INFO: Status: Enabled for 0 days 00:02:47 Debug: Urgent Hostid: 0xfb5oe08 State Table Total Rate current entries 3 searches 838 5.0/s inserts 20 0.1/s removals 17 0.1/s Counters match 45 0.3/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s TIMEOUTS: tcp.first 120s tcp.opening os tcp.established 86i0s tcp.closing 900s tcp.finwait 45s tcp.closed 90s tcp.tsdiff os udp.first 60s udp.single os udp.multiple 60s icmp.first 20s icmp.error 10s other.first 60s other.single os other.multiple 60s frag os interval 10s adaptive.start 0 states adaptive.end 0 states src.track 0s LIMITS: states hard limit 10000 src-nodes hard limit 10000 frags hard limit 5000 OS FINGERPRINTS: 345 fingerprints loaded From owner-freebsd-pf@FreeBSD.ORG Wed Jul 26 09:39:57 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2EB1616A4DA for ; Wed, 26 Jul 2006 09:39:57 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD2BA43D55 for ; Wed, 26 Jul 2006 09:39:56 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by py-out-1112.google.com with SMTP id b36so2703123pyb for ; Wed, 26 Jul 2006 02:39:55 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=kIwcgPnP6O+T60itdJKGISOGqRM0l12oQjckVMkfMoilcieATtZtZTLNznn0ajt9071mCLnfWNpDOkIRaVDZ/gAfJu+sNk/eFOKV3nS09j2pWPGEpPtTp3n7sValaf9+4vsVXZAZrVlEZWpG75HBLlmp007x/nst3CBYeXUE1RI= Received: by 10.35.96.11 with SMTP id y11mr11040831pyl; Wed, 26 Jul 2006 02:39:55 -0700 (PDT) Received: by 10.35.34.13 with HTTP; Wed, 26 Jul 2006 02:39:55 -0700 (PDT) Message-ID: Date: Wed, 26 Jul 2006 04:39:55 -0500 From: "Travis H." To: "Jeffrey Williams" In-Reply-To: <44C71D8F.9090007@sailorfej.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44C71D8F.9090007@sailorfej.net> Cc: freebsd-pf@freebsd.org Subject: Re: nat/outbound traffic not passing in pf on FreeBSD 6.1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2006 09:39:57 -0000 Well this is a silly question, but perhaps traffic is being passed out, but the responses can't get back in? It's not clear to me how you expected responses to get in without a "keep state" on an outbound rule. -- "if you're not part of the solution, you're part of the precipitate" Unix "guru" for rent or hire || http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 From owner-freebsd-pf@FreeBSD.ORG Wed Jul 26 17:07:49 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4DDAA16A4DD for ; Wed, 26 Jul 2006 17:07:49 +0000 (UTC) (envelope-from lyndon@orthanc.ca) Received: from orthanc.ca (orthanc.ca [209.89.70.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9047543D53 for ; Wed, 26 Jul 2006 17:07:48 +0000 (GMT) (envelope-from lyndon@orthanc.ca) Received: from localhost (localhost [127.0.0.1]) (authenticated bits=0) by orthanc.ca (8.13.4/8.13.4) with ESMTP id k6QH7gXs025328 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 26 Jul 2006 11:07:44 -0600 (MDT) (envelope-from lyndon@orthanc.ca) Date: Wed, 26 Jul 2006 11:07:42 -0600 (MDT) From: Lyndon Nerenberg To: "Travis H." In-Reply-To: Message-ID: <20060726110541.K25284@orthanc.ca> References: <44C71D8F.9090007@sailorfej.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,SPF_PASS autolearn=ham version=3.1.3 X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on orthanc.ca Cc: freebsd-pf@freebsd.org Subject: Re: nat/outbound traffic not passing in pf on FreeBSD 6.1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2006 17:07:49 -0000 > Well this is a silly question, but perhaps traffic is being passed > out, but the responses can't get back in? It's not clear to me how > you expected responses to get in without a "keep state" on an outbound > rule. In the OpenBSD implementation, the 'nat' statement implicitly enables 'keep state' behaviour, therefore a separate rule is not required. --lyndon From owner-freebsd-pf@FreeBSD.ORG Wed Jul 26 17:29:51 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D451616A4DD for ; Wed, 26 Jul 2006 17:29:51 +0000 (UTC) (envelope-from jeff@sailorfej.net) Received: from mail.sailorfej.net (mail.sailorfej.net [66.93.72.123]) by mx1.FreeBSD.org (Postfix) with ESMTP id C337043D72 for ; Wed, 26 Jul 2006 17:29:50 +0000 (GMT) (envelope-from jeff@sailorfej.net) Received: from [192.168.150.100] (c-24-20-239-104.hsd1.or.comcast.net [24.20.239.104]) (authenticated bits=0) by mail.sailorfej.net (8.13.4/8.13.4) with ESMTP id k6QHREH5041919 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 26 Jul 2006 10:27:15 -0700 (PDT) (envelope-from jeff@sailorfej.net) Message-ID: <44C7A68D.9010203@sailorfej.net> Date: Wed, 26 Jul 2006 10:29:49 -0700 From: Jeffrey Williams User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <44C71D8F.9090007@sailorfej.net> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-0.6 required=6.0 tests=BAYES_00,RCVD_IN_SORBS_DUL autolearn=no version=3.1.1 X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on mail.sailorfej.net Subject: Re: nat/outbound traffic not passing in pf on FreeBSD 6.1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2006 17:29:51 -0000 The outbound rule does have keep state on it, but the point is the outbound rule should not even be necessary, pf defaults to pass unless a block rule is given, there is no block out rule. once again this rule set (minus the "pass out on $oif inet from $oip to any keep state" rule) works perfectly on my OpenBSD firewalls. Thanks Jeff Travis H. wrote: > Well this is a silly question, but perhaps traffic is being passed > out, but the responses can't get back in? It's not clear to me how > you expected responses to get in without a "keep state" on an outbound > rule. From owner-freebsd-pf@FreeBSD.ORG Wed Jul 26 17:46:41 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A8B6616A4DA for ; Wed, 26 Jul 2006 17:46:41 +0000 (UTC) (envelope-from jeff@sailorfej.net) Received: from mail.sailorfej.net (mail.sailorfej.net [66.93.72.123]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1812143D49 for ; Wed, 26 Jul 2006 17:46:41 +0000 (GMT) (envelope-from jeff@sailorfej.net) Received: from [192.168.150.100] (c-24-20-239-104.hsd1.wa.comcast.net [24.20.239.104]) (authenticated bits=0) by mail.sailorfej.net (8.13.4/8.13.4) with ESMTP id k6QHi4rW042023 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 26 Jul 2006 10:44:05 -0700 (PDT) (envelope-from jeff@sailorfej.net) Message-ID: <44C7AA7F.7060904@sailorfej.net> Date: Wed, 26 Jul 2006 10:46:39 -0700 From: Jeffrey Williams User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <013101c6b0ba$371645d0$152ea8c0@phobos> In-Reply-To: <013101c6b0ba$371645d0$152ea8c0@phobos> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-0.6 required=6.0 tests=BAYES_00,RCVD_IN_SORBS_DUL autolearn=no version=3.1.1 X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on mail.sailorfej.net Subject: Re: SV: nat/outbound traffic not passing in pf on FreeBSD 6.1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2006 17:46:41 -0000 Morgan wrote: >> pf.conf entries: >> >> oif="em0" >> onwr="o.o.33.40/29" >> oip="o.o.33.46" >> >> iif="em1" >> inwr="i.i.10.0/24" >> iip="i.i.10.1" >> >> is1="i.i.10.15" >> >> scrub in all >> >> nat on $oif from $inwr to any -> $oif >> >> rdr on $oif proto tcp from any to $oip port 1000 -> $is1 port 22 >> >> block in log all >> >> pass in on $oif proto tcp from any to $is1 port 22 keep state >> pass in on $oif proto tcp from any to $oip port 22 keep state >> >> pass in on $iif inet from $inwr to any keep state >> pass out on $oif inet from $oip to any keep state (additional rule >> referred to above that needed to be added to enable outbound >> connections, should not be needed?) >> >> antispoof for $oif >> antispoof for $iif > > Where is your pass rule for your internal interface and for your loopback > for that matter? > > Pass on lo0 all > Pass on em1 all > > /PP > > I am not running anything that is trying to use the loopback interface on this box. The following rule passes traffic in on the internal interface, "pass in on $iif inet from $inwr to any keep state", and there is no rule blocking traffic out on the internal interface. Thanks, Jeff From owner-freebsd-pf@FreeBSD.ORG Wed Jul 26 18:32:00 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9944216A4DA for ; Wed, 26 Jul 2006 18:32:00 +0000 (UTC) (envelope-from jsimola@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.173]) by mx1.FreeBSD.org (Postfix) with ESMTP id 626AE43D5A for ; Wed, 26 Jul 2006 18:31:59 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by ug-out-1314.google.com with SMTP id m2so3460918uge for ; Wed, 26 Jul 2006 11:31:58 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=IUAlNXGiITjCKxvwsCRMxwPvoyZU3HFrlzaPCS9tyYPjTAox5kqGEjae1Y1s67//MqiWF963/w2nStKKD1LPHCuewyTXHU6snqK0nqly9KtCesrRGn76xVpMc1bXUOnSu/PqAsbCS14rvicGPxtN8kbUZ7kHObnbirDOmxfkCVE= Received: by 10.78.156.6 with SMTP id d6mr3369639hue; Wed, 26 Jul 2006 11:31:58 -0700 (PDT) Received: by 10.78.196.19 with HTTP; Wed, 26 Jul 2006 11:31:57 -0700 (PDT) Message-ID: <8eea04080607261131g6afe0f4dp9c0ea30f78fc3079@mail.gmail.com> Date: Wed, 26 Jul 2006 11:31:57 -0700 From: "Jon Simola" To: "Jeffrey Williams" In-Reply-To: <44C7AA7F.7060904@sailorfej.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <013101c6b0ba$371645d0$152ea8c0@phobos> <44C7AA7F.7060904@sailorfej.net> Cc: freebsd-pf@freebsd.org Subject: Re: SV: nat/outbound traffic not passing in pf on FreeBSD 6.1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2006 18:32:00 -0000 On 7/26/06, Jeffrey Williams wrote: > I am not running anything that is trying to use the loopback interface > on this box. Blocking traffic on the loopback will cause many odd problems. Always use set skip on lo > The following rule passes traffic in on the internal interface, "pass in > on $iif inet from $inwr to any keep state", and there is no rule > blocking traffic out on the internal interface. The problem here is that the NAT translation of the packet takes place before pass and block rules are processed. NAT'ed packets appear to be incoming on the internal interface with an IP address of the external interface. So you can pass all traffic on the internal interface, or get a little fancier and use tags with NAT: nat on $ext_if from $int_if:network to !$int_if:network tag NAT -> ($ext_if:0) pass all tagged NAT keep state Or for the minimal ruleset: nat pass on $ext_if from $int_if:network to !$int_if:network -> ($ext_if:0) -- Jon From owner-freebsd-pf@FreeBSD.ORG Wed Jul 26 19:34:38 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 20DD816A4DF for ; Wed, 26 Jul 2006 19:34:38 +0000 (UTC) (envelope-from jeff@sailorfej.net) Received: from mail.sailorfej.net (mail.sailorfej.net [66.93.72.123]) by mx1.FreeBSD.org (Postfix) with ESMTP id 51B3543D53 for ; Wed, 26 Jul 2006 19:34:37 +0000 (GMT) (envelope-from jeff@sailorfej.net) Received: from [192.168.150.100] (c-24-20-239-104.hsd1.wa.comcast.net [24.20.239.104]) (authenticated bits=0) by mail.sailorfej.net (8.13.4/8.13.4) with ESMTP id k6QJW0HI042796 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 26 Jul 2006 12:32:01 -0700 (PDT) (envelope-from jeff@sailorfej.net) Message-ID: <44C7C3CB.3020702@sailorfej.net> Date: Wed, 26 Jul 2006 12:34:35 -0700 From: Jeffrey Williams User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <013101c6b0ba$371645d0$152ea8c0@phobos> <44C7AA7F.7060904@sailorfej.net> <8eea04080607261131g6afe0f4dp9c0ea30f78fc3079@mail.gmail.com> In-Reply-To: <8eea04080607261131g6afe0f4dp9c0ea30f78fc3079@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-0.6 required=6.0 tests=BAYES_00,RCVD_IN_SORBS_DUL autolearn=no version=3.1.1 X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on mail.sailorfej.net Subject: Re: SV: nat/outbound traffic not passing in pf on FreeBSD 6.1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2006 19:34:38 -0000 ok I went ahead and opened up the lo, it still does not work. Adding pass to the nat statement causes all nated packets to bypass all of the other filter rules, this is not acceptable. once again the ruleset works fine on OpenBSD, so what is different about pf on FreeBSD. I do not believe the problem is in the rules, I repeat this rule set works 100% in pf on OpenBSD, I have not found any documentation that states the pf on FreeBSD interprets rules differently than on OpenBSD. So either there is a difference that I have not found, if so can somebody tell me what that difference is? or there is a bug in the FreeBSD pf code, if so does anybody know what it is, and if there is a work around. The other possibility is I am missing a compile time setting or a kernel setting, if so does anybody know what it might be? Thanks, Jeff Jon Simola wrote: > On 7/26/06, Jeffrey Williams wrote: > >> I am not running anything that is trying to use the loopback interface >> on this box. > > Blocking traffic on the loopback will cause many odd problems. Always use > set skip on lo > >> The following rule passes traffic in on the internal interface, "pass in >> on $iif inet from $inwr to any keep state", and there is no rule >> blocking traffic out on the internal interface. > > The problem here is that the NAT translation of the packet takes place > before pass and block rules are processed. NAT'ed packets appear to be > incoming on the internal interface with an IP address of the external > interface. So you can pass all traffic on the internal interface, or > get a little fancier and use tags with NAT: > > nat on $ext_if from $int_if:network to !$int_if:network tag NAT -> > ($ext_if:0) > pass all tagged NAT keep state > > Or for the minimal ruleset: > > nat pass on $ext_if from $int_if:network to !$int_if:network -> ($ext_if:0) > From owner-freebsd-pf@FreeBSD.ORG Wed Jul 26 20:24:57 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C263C16A4DA for ; Wed, 26 Jul 2006 20:24:57 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D62043D5D for ; Wed, 26 Jul 2006 20:24:55 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k6QKOtl1020573 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Wed, 26 Jul 2006 22:24:55 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k6QKOsPj021476; Wed, 26 Jul 2006 22:24:54 +0200 (MEST) Date: Wed, 26 Jul 2006 22:24:54 +0200 From: Daniel Hartmeier To: Jeffrey Williams Message-ID: <20060726202454.GG18492@insomnia.benzedrine.cx> References: <44C71D8F.9090007@sailorfej.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44C71D8F.9090007@sailorfej.net> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: nat/outbound traffic not passing in pf on FreeBSD 6.1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2006 20:24:57 -0000 Can you give us an example of just one connection that doesn't work? Like, local workstation i.i.10.3, connected to em1, matching $inwr, tries to connect to an external host 62.65.145.30. Protocol TCP, source port 12345, destination port 80. The TCP SYN is seen (with tcpdump) incoming on em1. But it's not seen outgoing (NAT'ed to source address o.o.33.46) on em0. > scrub in all fragment reassemble > block drop in log all > pass in on em0 inet proto tcp from any to i.i.10.15 port = ssh keep state > pass in on em0 inet proto tcp from any to o.o.33.46 port = ssh keep state > pass in on em1 inet from i.i.10.0/24 to any keep state > pass out on em0 inet from o.o.33.46 to any keep state > block drop in on ! em0 inet from o.o.33.i/29 to any > block drop in on em0 inet6 from fe80::213:72ff:fe5f:6e6b to any > block drop in inet from o.o.33.46 to any > block drop in on ! em1 inet from i.i.10.0/24 to any > block drop in on em1 inet6 from fe80::213:72ff:fe5f:6e6c to any > block drop in inet from i.i.10.1 to any A packet that doesn't match any of those rules will be passed. Since you don't block outgoing packets at all, you should see the TCP SYN go out on em1 (properly NAT'ed). Since NAT implies keep state, a state entry should be created even if you don't have an explicit 'pass out keep state' rule. Your pfctl -si output shows that there are states created, and that packets are matching those states and passing. You should see the returning TCP SYN+ACK incoming on em1 (with tcpdump), get NAT'ed back to the internal destination address, and leave out on em0. Make sure that there's nothing weird going on with the network cables, i.e. that em0 is really the internal NIC, that the local workstation does not have any other way to reach the external host except through the pf box, and that it's using the pf box as default gateway. If the TCP SYN and SYN+ACK show up in any other order (than described above) on the two interfaces, that would be the clue to the problem. There is no difference between pf on OpenBSD and FreeBSD in this regard, and I very much doubt there is a bug as basic as this still undetected. More likely, there is some other difference between your OpenBSD and FreeBSD setups, as simple as a cable plugged in somewhere :) Daniel From owner-freebsd-pf@FreeBSD.ORG Wed Jul 26 23:28:30 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0020C16A4DD for ; Wed, 26 Jul 2006 23:28:29 +0000 (UTC) (envelope-from snb@threerings.net) Received: from smtp.earth.threerings.net (mail.threerings.net [64.127.109.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id BE9CD43D4C for ; Wed, 26 Jul 2006 23:28:29 +0000 (GMT) (envelope-from snb@threerings.net) Received: from [192.168.54.42] (chukchi.sea.earth.threerings.net [192.168.54.42]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.earth.threerings.net (Postfix) with ESMTP id 52FFE6531 for ; Wed, 26 Jul 2006 16:28:28 -0700 (PDT) Message-ID: <44C7FA9A.20508@threerings.net> Date: Wed, 26 Jul 2006 16:28:26 -0700 From: Nick Barkas User-Agent: Thunderbird 1.5.0.4 (Macintosh/20060516) MIME-Version: 1.0 To: freebsd-pf@freebsd.org X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: carpdev support from OpenBSD X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2006 23:28:30 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello- There is a feature from OpenBSD's carp implementation that allows one to specify which device a carp interface will use, similar to how vlan devices are associated to a physical interface with the vlandev option to ifconfig. The change to support this carpdev option looks like it was added about a year and a half ago to OpenBSD, but it has not been merged into FreeBSD yet. I would like to have support for this on my routers, and I am interested in trying to port these changes over to FreeBSD. I have two questions, however. First, is it desired by others that FreeBSD's carp attempt to follow the development of OpenBSD's implementation? In looking at cvs commit logs in sys/netinet/ip_carp.[ch], I have seen that there have been only a few instances where OpenBSD changes have been merged into FreeBSD's carp sources. Second, would it be more appropriate for me to attempt to merge all of OpenBSD's changes to the carp device to FreeBSD, or only those specific to supporting the carpdev functionality that I want? If I should send this to -net or elsewhere instead, please let me know and I'll do that :) Thanks Nick -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEx/qa44NxFgGs4RMRCv0VAJ9JX1yYjPiEICsGwkUPnRdsV9EN/QCg37uk a9xPLjqR8wDD71ZP57T00Jc= =xTTr -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Thu Jul 27 06:59:47 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1258E16A4DA; Thu, 27 Jul 2006 06:59:47 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id B7D2543D4C; Thu, 27 Jul 2006 06:59:46 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k6R6xk1v098352; Thu, 27 Jul 2006 06:59:46 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k6R6xkRT098348; Thu, 27 Jul 2006 06:59:46 GMT (envelope-from linimon) Date: Thu, 27 Jul 2006 06:59:46 GMT From: Mark Linimon Message-Id: <200607270659.k6R6xkRT098348@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: kern/100879: [pf] PF on Freebsd 6.1-STABLE doesn't block IPv6 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Jul 2006 06:59:47 -0000 Old Synopsis: PF on Freebsd 6.1-STABLE doesn't block IPv6 New Synopsis: [pf] PF on Freebsd 6.1-STABLE doesn't block IPv6 Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Thu Jul 27 06:58:35 UTC 2006 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=100879 From owner-freebsd-pf@FreeBSD.ORG Thu Jul 27 09:34:27 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 60A6716A4DA; Thu, 27 Jul 2006 09:34:27 +0000 (UTC) (envelope-from dhartmei@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 17C9B43D46; Thu, 27 Jul 2006 09:34:27 +0000 (GMT) (envelope-from dhartmei@FreeBSD.org) Received: from freefall.freebsd.org (dhartmei@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k6R9YQum012902; Thu, 27 Jul 2006 09:34:26 GMT (envelope-from dhartmei@freefall.freebsd.org) Received: (from dhartmei@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k6R9YQf5012897; Thu, 27 Jul 2006 09:34:26 GMT (envelope-from dhartmei) Date: Thu, 27 Jul 2006 09:34:26 GMT From: Daniel Hartmeier Message-Id: <200607270934.k6R9YQf5012897@freefall.freebsd.org> To: sirdice@xs4all.nl, dhartmei@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: kern/100879: [pf] PF on Freebsd 6.1-STABLE doesn't block IPv6 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Jul 2006 09:34:27 -0000 Synopsis: [pf] PF on Freebsd 6.1-STABLE doesn't block IPv6 State-Changed-From-To: open->closed State-Changed-By: dhartmei State-Changed-When: Thu Jul 27 09:33:52 UTC 2006 State-Changed-Why: not a bug, submitter agrees. http://www.freebsd.org/cgi/query-pr.cgi?pr=100879 From owner-freebsd-pf@FreeBSD.ORG Thu Jul 27 11:50:34 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1072216A4DA for ; Thu, 27 Jul 2006 11:50:34 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 63DA343D55 for ; Thu, 27 Jul 2006 11:50:33 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.179.207] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu0) with ESMTP (Nemesis), id 0MKwh2-1G64Np3w0x-00022R; Thu, 27 Jul 2006 13:50:32 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Thu, 27 Jul 2006 13:50:22 +0200 User-Agent: KMail/1.9.3 References: <44C7FA9A.20508@threerings.net> In-Reply-To: <44C7FA9A.20508@threerings.net> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3676555.Kq1r2fQ7YS"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200607271350.28684.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: carpdev support from OpenBSD X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Jul 2006 11:50:34 -0000 --nextPart3676555.Kq1r2fQ7YS Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 27 July 2006 01:28, Nick Barkas wrote: > There is a feature from OpenBSD's carp implementation that allows one to > specify which device a carp interface will use, similar to how vlan > devices are associated to a physical interface with the vlandev option > to ifconfig. The change to support this carpdev option looks like it was > added about a year and a half ago to OpenBSD, but it has not been merged > into FreeBSD yet. I would like to have support for this on my routers, > and I am interested in trying to port these changes over to FreeBSD. > > I have two questions, however. First, is it desired by others that > FreeBSD's carp attempt to follow the development of OpenBSD's > implementation? In looking at cvs commit logs in > sys/netinet/ip_carp.[ch], I have seen that there have been only a few > instances where OpenBSD changes have been merged into FreeBSD's carp > sources. Second, would it be more appropriate for me to attempt to merge > all of OpenBSD's changes to the carp device to FreeBSD, or only those > specific to supporting the carpdev functionality that I want? > > If I should send this to -net or elsewhere instead, please let me know > and I'll do that :) I think you should talk to Gleb Smirnoff (glebius@) who did the final impor= t=20 of carp and is taking care of it since. IIRC he had different plans for it= ,=20 but I am not sure what they were and if he got a chance to move forward. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart3676555.Kq1r2fQ7YS Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (FreeBSD) iD8DBQBEyKiEXyyEoT62BG0RAjg4AJ9eHqWdA8qOYs+uq3M1tOXyQREigwCeKA9x UfzouLQeV9VAOlAX6fcCBNA= =Vf8b -----END PGP SIGNATURE----- --nextPart3676555.Kq1r2fQ7YS-- From owner-freebsd-pf@FreeBSD.ORG Thu Jul 27 11:57:39 2006 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D7BC416A4DF; Thu, 27 Jul 2006 11:57:39 +0000 (UTC) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id ACBCB43D68; Thu, 27 Jul 2006 11:57:38 +0000 (GMT) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k6RBvc0M026282; Thu, 27 Jul 2006 11:57:38 GMT (envelope-from mlaier@freefall.freebsd.org) Received: (from mlaier@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k6RBvcec026278; Thu, 27 Jul 2006 11:57:38 GMT (envelope-from mlaier) Date: Thu, 27 Jul 2006 11:57:38 GMT From: Max Laier Message-Id: <200607271157.k6RBvcec026278@freefall.freebsd.org> To: james@jlauser.net, mlaier@FreeBSD.org, freebsd-pf@FreeBSD.org Cc: Subject: Re: bin/96150: pfctl(8) -k non-functional X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Jul 2006 11:57:39 -0000 Synopsis: pfctl(8) -k non-functional State-Changed-From-To: open->closed State-Changed-By: mlaier State-Changed-When: Thu Jul 27 11:56:45 UTC 2006 State-Changed-Why: As described above, this seems to be a misunderstanding. Thanks. http://www.freebsd.org/cgi/query-pr.cgi?pr=96150 From owner-freebsd-pf@FreeBSD.ORG Fri Jul 28 05:19:21 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 579A016A4E2 for ; Fri, 28 Jul 2006 05:19:21 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.180]) by mx1.FreeBSD.org (Postfix) with ESMTP id D7C6243D49 for ; Fri, 28 Jul 2006 05:19:20 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by py-out-1112.google.com with SMTP id b36so453157pyb for ; Thu, 27 Jul 2006 22:19:19 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=AcZcUSM1++atU9ErzPNaW4h48FLo3/Zrpd49xXqSkefIFGQO2IKP9QJGzy8I54RVPHs1x30zTML5ullKP1b2lVq2fbC0BjGgk/TKcugKDq7aoWxQNld3JNAZ8tKK9h2KkbHgMPqFea6sG6EFJ/Uya0aIBTDM3KX8ZLE+7ZjskCc= Received: by 10.35.121.9 with SMTP id y9mr13951462pym; Thu, 27 Jul 2006 22:19:19 -0700 (PDT) Received: by 10.35.34.13 with HTTP; Thu, 27 Jul 2006 22:19:19 -0700 (PDT) Message-ID: Date: Fri, 28 Jul 2006 00:19:19 -0500 From: "Travis H." To: "Lyndon Nerenberg" In-Reply-To: <20060726110541.K25284@orthanc.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44C71D8F.9090007@sailorfej.net> <20060726110541.K25284@orthanc.ca> Cc: freebsd-pf@freebsd.org Subject: Re: nat/outbound traffic not passing in pf on FreeBSD 6.1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jul 2006 05:19:21 -0000 On 7/26/06, Lyndon Nerenberg wrote: > In the OpenBSD implementation, the 'nat' statement implicitly enables > 'keep state' behaviour, therefore a separate rule is not required. You're right, I was forgetting that his "default block" rule applied only to inbound traffic, otherwise a "pass" would have been lacking in the nat rule. -- "if you're not part of the solution, you're part of the precipitate" Unix "guru" for rent or hire || http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 From owner-freebsd-pf@FreeBSD.ORG Fri Jul 28 06:12:07 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 56EA316A4DE for ; Fri, 28 Jul 2006 06:12:07 +0000 (UTC) (envelope-from jeff@sailorfej.net) Received: from mail.sailorfej.net (mail.sailorfej.net [66.93.72.123]) by mx1.FreeBSD.org (Postfix) with ESMTP id E838243D49 for ; Fri, 28 Jul 2006 06:12:06 +0000 (GMT) (envelope-from jeff@sailorfej.net) Received: from [192.168.150.100] (c-24-20-239-104.hsd1.wa.comcast.net [24.20.239.104]) (authenticated bits=0) by mail.sailorfej.net (8.13.4/8.13.4) with ESMTP id k6S69GVw052178 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 27 Jul 2006 23:09:17 -0700 (PDT) (envelope-from jeff@sailorfej.net) Message-ID: <44C9AAAF.1090705@sailorfej.net> Date: Thu, 27 Jul 2006 23:11:59 -0700 From: Jeffrey Williams User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <44C71D8F.9090007@sailorfej.net> <20060726202454.GG18492@insomnia.benzedrine.cx> In-Reply-To: <20060726202454.GG18492@insomnia.benzedrine.cx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-0.6 required=6.0 tests=BAYES_00,RCVD_IN_SORBS_DUL autolearn=no version=3.1.1 X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on mail.sailorfej.net Subject: Re: nat/outbound traffic not passing in pf on FreeBSD 6.1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jul 2006 06:12:07 -0000 Daniel and all on list, Thank you and mea culpa, I should have tried that first. tcpdump showed no packets coming in from the inside network on em1 (even with pf disabled), although the aggregate port switch saw them. so it is either bad switch configuration (likely, my first time with a Dell switch) or bad switch port. Either way it does not appear to be pf/FreeBSD's fault, after moving the inside interface to another port, it works fine. Although I was able to ssh from em1 out to machines on the inside network, weird, I have revisit this when I have time. Thanks, Jeff Daniel Hartmeier wrote: > Can you give us an example of just one connection that doesn't work? > > Like, local workstation i.i.10.3, connected to em1, matching $inwr, > tries to connect to an external host 62.65.145.30. Protocol TCP, source > port 12345, destination port 80. The TCP SYN is seen (with tcpdump) > incoming on em1. But it's not seen outgoing (NAT'ed to source address > o.o.33.46) on em0. > >> scrub in all fragment reassemble >> block drop in log all >> pass in on em0 inet proto tcp from any to i.i.10.15 port = ssh keep state >> pass in on em0 inet proto tcp from any to o.o.33.46 port = ssh keep state >> pass in on em1 inet from i.i.10.0/24 to any keep state >> pass out on em0 inet from o.o.33.46 to any keep state >> block drop in on ! em0 inet from o.o.33.i/29 to any >> block drop in on em0 inet6 from fe80::213:72ff:fe5f:6e6b to any >> block drop in inet from o.o.33.46 to any >> block drop in on ! em1 inet from i.i.10.0/24 to any >> block drop in on em1 inet6 from fe80::213:72ff:fe5f:6e6c to any >> block drop in inet from i.i.10.1 to any > > A packet that doesn't match any of those rules will be passed. Since you > don't block outgoing packets at all, you should see the TCP SYN go out > on em1 (properly NAT'ed). Since NAT implies keep state, a state entry > should be created even if you don't have an explicit 'pass out keep > state' rule. > > Your pfctl -si output shows that there are states created, and that > packets are matching those states and passing. > > You should see the returning TCP SYN+ACK incoming on em1 (with tcpdump), > get NAT'ed back to the internal destination address, and leave out on > em0. > > Make sure that there's nothing weird going on with the network cables, > i.e. that em0 is really the internal NIC, that the local workstation > does not have any other way to reach the external host except through > the pf box, and that it's using the pf box as default gateway. > > If the TCP SYN and SYN+ACK show up in any other order (than described > above) on the two interfaces, that would be the clue to the problem. > > There is no difference between pf on OpenBSD and FreeBSD in this regard, > and I very much doubt there is a bug as basic as this still undetected. > More likely, there is some other difference between your OpenBSD and > FreeBSD setups, as simple as a cable plugged in somewhere :) > > Daniel From owner-freebsd-pf@FreeBSD.ORG Fri Jul 28 06:27:53 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A4C1616A4DE for ; Fri, 28 Jul 2006 06:27:53 +0000 (UTC) (envelope-from bret@immense.net) Received: from kahuna.immense.net (kahuna.immense.net [68.224.223.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4CFB443D49 for ; Fri, 28 Jul 2006 06:27:53 +0000 (GMT) (envelope-from bret@immense.net) Received: from bret (bret.immense.local [10.0.10.200]) by kahuna.immense.net (Postfix) with ESMTP id D635E2280C for ; Fri, 28 Jul 2006 01:25:23 -0500 (CDT) From: "Bret J Esquivel" To: Date: Fri, 28 Jul 2006 01:25:25 -0500 Message-ID: <00c501c6b20e$9cdcf350$c80a000a@bret> MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 Thread-Index: AcayDpx4mgZ7/LSjSLSJKYBzIZWXRw== Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: PF and VLANs X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jul 2006 06:27:53 -0000 Hi Guys, I've be struggling the past few days setting up a VLAN network. Here is the situation. I have a Netgear 24-port managed switch inside an office building. I'd like to give each tenant its own vlan, which will then go to our FreeBSD router and out to the internet. I had it working fine on a test port, however, anyone on that vlan could still get routed to the other networks on the lan, but it is going through the router. Client pc -> router -> other client pc. How can I stop this? I've tried a bunch of blocks within pf with no joy. Thanks, Bret From owner-freebsd-pf@FreeBSD.ORG Fri Jul 28 08:35:36 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9945016A4E0 for ; Fri, 28 Jul 2006 08:35:36 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.179]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E38A43D45 for ; Fri, 28 Jul 2006 08:35:35 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by py-out-1112.google.com with SMTP id b36so486378pyb for ; Fri, 28 Jul 2006 01:35:35 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=WkXLtRa3WJ8y3gxcpKlYZYkiaOciSf52JK20xBjAIcYeDRcgmyyUhIpnPKMNg4VCN+ZdSBL3ZfZ5WOljuv+khJUYRTYH9YEHKlPtpxvy9bdplfdp5qEzCHhFYDECONRx4SsquIgm8KFaHK6YY6YHPRsOAlXuP+eXymy507r4abM= Received: by 10.35.79.3 with SMTP id g3mr14149602pyl; Fri, 28 Jul 2006 01:35:35 -0700 (PDT) Received: by 10.35.34.13 with HTTP; Fri, 28 Jul 2006 01:35:35 -0700 (PDT) Message-ID: Date: Fri, 28 Jul 2006 03:35:35 -0500 From: "Travis H." To: "Bret J Esquivel" In-Reply-To: <00c501c6b20e$9cdcf350$c80a000a@bret> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <00c501c6b20e$9cdcf350$c80a000a@bret> Cc: freebsd-pf@freebsd.org Subject: Re: PF and VLANs X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jul 2006 08:35:36 -0000 On 7/28/06, Bret J Esquivel wrote: > our FreeBSD router and out to the internet. I had it working fine on a test > port, however, anyone on that vlan could still get routed to the other > networks on the lan, but it is going through the router. Client pc -> router > -> other client pc. How can I stop this? I've tried a bunch of blocks within > pf with no joy. Do you have a trunked line going to the fbsd box? -- "if you're not part of the solution, you're part of the precipitate" Unix "guru" for rent or hire || http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 From owner-freebsd-pf@FreeBSD.ORG Fri Jul 28 14:52:00 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8649816A500 for ; Fri, 28 Jul 2006 14:52:00 +0000 (UTC) (envelope-from lists@nabble.com) Received: from talk.nabble.com (www.nabble.com [72.21.53.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id DBF5E43DA1 for ; Fri, 28 Jul 2006 14:51:59 +0000 (GMT) (envelope-from lists@nabble.com) Received: from [72.21.53.38] (helo=jubjub.nabble.com) by talk.nabble.com with esmtp (Exim 4.50) id 1G6Th1-0000oX-FI for freebsd-pf@freebsd.org; Fri, 28 Jul 2006 07:51:59 -0700 Message-ID: <5540790.post@talk.nabble.com> Date: Fri, 28 Jul 2006 07:34:12 -0700 (PDT) From: elmer To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-Sender: elmer.rivera@gmail.com X-Nabble-From: elmer Subject: enable passive/active ftp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jul 2006 14:52:00 -0000 Hi all, I am using pf on freebsd6.1. how do I enable ftp passive and active. Im following the pfmanual but my users cant establish a connection. Is there a debugging for the ftp-proxy? tia cheers, elmer -- View this message in context: http://www.nabble.com/enable-passive-active-ftp-tf2015778.html#a5540790 Sent from the freebsd-pf forum at Nabble.com. From owner-freebsd-pf@FreeBSD.ORG Fri Jul 28 17:50:00 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E280316A4DA for ; Fri, 28 Jul 2006 17:50:00 +0000 (UTC) (envelope-from eculp@bafirst.com) Received: from bafirst.com (72-12-2-214.wan.networktel.net [72.12.2.214]) by mx1.FreeBSD.org (Postfix) with ESMTP id 45B3043D45 for ; Fri, 28 Jul 2006 17:49:59 +0000 (GMT) (envelope-from eculp@bafirst.com) Received: from localhost (localhost [127.0.0.1]) (uid 80) by bafirst.com with local; Fri, 28 Jul 2006 12:49:58 -0500 id 0009581A.44CA4E47.0000C60D Received: from dsl-189-129-2-76.prod-infinitum.com.mx (dsl-189-129-2-76.prod-infinitum.com.mx [189.129.2.76]) by mail.bafirst.com (Horde MIME library) with HTTP; Fri, 28 Jul 2006 12:49:58 -0500 Message-ID: <20060728124958.opaevzcg04s0gg4s@mail.bafirst.com> Date: Fri, 28 Jul 2006 12:49:58 -0500 From: eculp@bafirst.com To: freebsd-pf@freebsd.org References: <5540790.post@talk.nabble.com> In-Reply-To: <5540790.post@talk.nabble.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) 4.1-cvs Subject: Re: enable passive/active ftp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jul 2006 17:50:01 -0000 Quoting elmer : > > Hi all, > > I am using pf on freebsd6.1. how do I enable ftp passive and active. > Im following the pfmanual but my users cant establish a connection. > Is there a debugging for the ftp-proxy? > IIRC you need to open the following ports for pasive ftp but I could be wrong. I seldom allow ftp. # pass in on $ext_if inet proto tcp from any to ($ext_if) port 49152:65534 flags S/SA keep state I also redirect ftp to a non-priviledged port something like: # rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 10021 You will need to configure your ftp daemon also and then season to taste and it should work. Someone please correct me, if I've missed something. ed > tia > cheers, > elmer > -- > View this message in context: > http://www.nabble.com/enable-passive-active-ftp-tf2015778.html#a5540790 > Sent from the freebsd-pf forum at Nabble.com. > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Fri Jul 28 23:07:51 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 365E916A4E1 for ; Fri, 28 Jul 2006 23:07:51 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id C214143D78 for ; Fri, 28 Jul 2006 23:07:41 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.187.122] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu0) with ESMTP (Nemesis), id 0MKwh2-1G6bQe3WTP-000210; Sat, 29 Jul 2006 01:07:37 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Sat, 29 Jul 2006 01:07:28 +0200 User-Agent: KMail/1.9.3 References: <5540790.post@talk.nabble.com> <20060728124958.opaevzcg04s0gg4s@mail.bafirst.com> In-Reply-To: <20060728124958.opaevzcg04s0gg4s@mail.bafirst.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1536157.Gnv5t98K0A"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200607290107.34701.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: enable passive/active ftp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jul 2006 23:07:51 -0000 --nextPart1536157.Gnv5t98K0A Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 28 July 2006 19:49, eculp@bafirst.com wrote: > Quoting elmer : > > Hi all, > > > > I am using pf on freebsd6.1. how do I enable ftp passive and active. > > Im following the pfmanual but my users cant establish a connection. > > Is there a debugging for the ftp-proxy? > > IIRC you need to open the following ports for pasive ftp but I could be > wrong. I seldom allow ftp. > > # pass in on $ext_if inet proto tcp from any to ($ext_if) port > 49152:65534 flags S/SA keep state > > I also redirect ftp to a non-priviledged port something like: > > # rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 10021 > > You will need to configure your ftp daemon also and then season to > taste and it should work. Someone please correct me, if I've missed > something. I suggest looking at ftp/pftpx from ports. It is much better than the=20 ftp-proxy we have in base and (iff I finally get round to finishing a new=20 import from OpenBSD) will eventually replace the version in base. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1536157.Gnv5t98K0A Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (FreeBSD) iD8DBQBEypi2XyyEoT62BG0RAjERAJ9U33MTfpEYka38I89AXOE1vmHxTgCfcpwy nh4Q3pu4sOQ39baS4GupPSM= =EsvU -----END PGP SIGNATURE----- --nextPart1536157.Gnv5t98K0A--